Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3071
Views
10
Helpful
3
Replies

AMP False Positive for chromesetup.exe

Bill CARTER
Level 5
Level 5

‎06-07-2017 07:46 AM - edited ‎02-20-2020 09:04 PM

I believe I am getting a false positive for ChromeSetup.exe. I downloaded the Chrome beta installer direct from Google.

SHA-256 a1fa0737b15a05ac5073985839af253f3470c162730f89f604eb3dc008066c05

Virus Total analysis

https://www.virustotal.com/en/file/a1fa0737b15a05ac5073985839af253f3470c162730f89f604eb3dc008066c05/analysis/1496843791/

2 people had this problem
Labels:
0 Helpful
3 Replies 3

David Janulik
Cisco Employee
Cisco Employee

‎06-07-2017 08:00 AM

Hi Bill,

I checked the SHA-256, which belongs to Chrome updater. As this is signed by 3rd party, we need to open a BUG for false possitive.

Please go ahead and open a ticket with TAC, as we need a formal procedure to get this fixed. That means the BUG requires a ticket number bind.

Hope this helps

David

Cyber security escalation engineer
0 Helpful

Tommy M
Level 1
Level 1
In response to David Janulik

‎06-09-2017 07:06 AM

Seems to be a general problem that chrome installers is detected as false positives. I've had to whitelist the following SHA-256 in just a few weeks, all confirmed to be false positives of ChromeSetup:

17ef28f7f5436594b9692c1e7774f7a87458077d55acc8cb0ec3a1ac2ea313bc

f9bf57412d8ef5a04d20af4e6fb29e09498e86b6083c650df60c1aa864cfcbf9

29aec6b94406cd3bbdbcbeda01028db8b0fdd7b43e9e233609a9aac290c1897f

3811c9f6c667c0f7f8d667d8b5c301ac94ea4736b91b3dde3c4a721c88e6430a

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tommy M

‎06-09-2017 08:49 PM

I've occasionally run into the same issue with my passowrd management tool (Keepass). On 2-3 occassions over the past couple of years it was incorrectly identified as malware and quarantined. I had to whitelist the SHA-256 hash to allow it to update.

I did so after confirming the SHA-256 with the source code and confirming it with the developer. Unfortunately I have a lab license and was unable to open a TAC case on it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents